Revisions

v1.0 10.27.2011

This policy is intended to ensure changes to Information Technology (IT) systems are managed in a rational and predictable manner so that staff and customers can plan accordingly.

This policy applies to all production systems that are maintained by, on behalf of, or involve the IT resources of the Division of Information Technology.  Systems outside the preview of the Division of Information Technology are strongly encouraged to follow this policy.

1.     Every change to a Creighton production IT resource such as: operating systems, computing hardware, networks, and applications is subject to the Change Management Policy and must follow the Change Management Operating Procedures.

2.     A Change Advisory Board (CAB) will meet regularly to review change requests and to ensure that change reviews and communications are being satisfactorily performed.

3.     Creighton has established a scheduled maintenance window that occurs between 10pm Friday and 4am on Saturday. All changes affecting user connectivity and access to IT services must be scheduled within this window of time unless otherwise approved by the CAB.

4.     Only significant, major and emergency changes, as defined in the Change Management Operation Procedures, require the submission of a formal written request for change (RFC).

a.     Minor changes should be approved by departmental CABs following departmental procedures.

b.    Standard changes, as approved by the CAB, do not require formal written requests for change but still require customer notification.

5.     Emergency Changes are defined as change that must be made to address an issue that is impacting service levels, a change that increases risk if not implemented, or a change that must be implemented in a timeframe shorter than outlined for a normal change in the Change Management Operation procedures.

a.     Emergency changes still require the formal submission of an emergency RFC, prior to the change, as outlined in the Change Management Operation Procedures.

6.     A formal RFC is not required to address Break/Fix issues.  Break/Fix issues are defined as outages of IT resources that require immediate changes to bring the resource back into working order.

7.     All non-emergency RFCs must be submitted in accordance with Change Management Operating Procedures with 2 weeks of prior notice so that the CAB has time to review the request and obtain necessary CAB approvals.

8.     All significant, major and emergency changes to Creighton IT resources must receive formal CAB approval before proceeding with the change.

9.     Customer notification must be completed one week in advance of the change following the steps outlined in the Change Management Operating Procedures.

A Change Management Log must be maintained for all changes

See the Change Management Operation Procedures [Located in CAB share on DFS]

Change Requesters are responsible for ensuring adherence to this policy and associate procedures when planning and executing changes to production IT resources.

Change Advisory Board is responsible for approving or denying all submitted requests for change.

This policy shall be administered by Information Security.  Questions regarding this policy should be directed to the Information Security Officer.

The University reserves the right to modify, amend or terminate this policy at any time.  This policy does not constitute a contract between the University and its faculty or employees.

none

No exceptions to this policy are allowed assuming the technology is available to adhere to the policy.

Any known violations of this policy should be reported to the University's Information Security Officer at 402-280-2386 or via e-mail to security_team@creighton.edu.

Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with University procedures.

The University may advise law enforcement agencies when a criminal offense may have been committed.